Secureworks experts’ predictions
Emerging Cybersecurity Trends in 2023
Across the Threat Landscape
Get started
read the threat intelligence report
get started
Find out what Secureworks threat intelligence experts predict will change and what will remain the same as we bring 2023 into focus…
The past year has seen a mixture of change and stasis in the threat landscape, as explored in the 2022 State of the Threat report. TTPs evolved but ransomware and business email compromise remained priority threats. The coming year will see the gradual evolution of some threats and new developments in others.
1
6
China’s intelligence collection activities will remain driven by its economic and political imperatives. China has high priority targets to meet in terms of economic and social development, made more pressing by continuing COVID outbreaks and a zero-tolerance stance on COVID. Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas. China’s focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. Organizations operating in or supplying any of those areas, particularly high-tech industries, are potential targets of Chinese cyberespionage. As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.
Economic and political cyber espionage will remain a priority for china
7
Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly. Iran will continue to make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. A natural extension of this approach will see increased levels of Iranian cybercriminal activity outside of the Middle East, with other groups building on the opportunistic ransomware model used by the IRGC-affiliated COBALT MIRAGE threat group. Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a “cybercrime problem.”
Government-sponsored harassment and cybercrime overlap FOR IRAN
5
Ukraine will continue to be a target regardless of the outcome of the military conflict. Meanwhile, long-term intelligence priorities will continue to be a focus for other Russian groups. New revelations will emerge of large-scale covert foreign intelligence gathering by Russian threat groups, likely using novel techniques involving the compromise of cloud environments and identity management systems. Even if the conflict in Ukraine is fully resolved, Russian threat groups linked to the GRU and FSB will continue to direct their resources against Ukraine and Russia’s near abroad for intelligence gathering, disruptive attacks, and disinformation campaigns. The growing focus on global energy security will see an increased focus, both from Russian threat groups and Western governments, on the security of related critical infrastructure.
Russia will continue to split its focus between Ukraine and broader intelligence objectives
8
Decentralized finance will displace traditional banks as a target for cybercriminals and state actors. More bridging protocols will be attacked in crypto and decentralized finance, leading to further large-scale heists. North Korean threat actors, tasked with raising money for the sanctions-hit pariah state, will be responsible for a significant proportion of these events.
crypto remains a tempting target
9
Cross platform compatibility will be important for malware developers, leading to an increase in malware written in Rust and Go. Threat actors will continue a gradual shift toward leveraging emerging post-exploitation frameworks like Sliver and Brute Ratel, in preference to Cobalt Strike, to reduce their chances of being detected.
A shift to new tools
10
As regulation mandates offensive security testing across more and more industries, offensive testing services will continue to evolve to provide technical data on vulnerabilities, emulate real-world adversary techniques, and assess defenders’ abilities to detect and respond.
Offensive security will expand its capabilities and use
11
The quality of user security training will remain a determining factor in exploitation and security issues in the workplace. Holistic, in-depth, and entertaining training will increase user awareness and add value to the overall security posture of a company. “Click, click, here is your certificate” type of training, or training based on naming and shaming or failing a test will lead to a decline in effectiveness of the overall security program.
Security training needs to be engaging if it is to pay off
12
More stories of “insider threat” rogue employees will emerge, potentially driven by cost-of-living pressures arising from the economic downturn in certain countries. Enterprising threat actors, both cybercriminal and government-sponsored, will be alert to these opportunities, looking out for insiders they can take advantage of.
The insider threat will grow
13
Keen to reduce their risk exposure, insurance companies will prove a major motivator for offensive and defensive security work. The requirements on organizations wishing to obtain cyber insurance will become more and more stringent, and organizations that are unable or unwilling to comply will find coverage is declined. Policy exclusions will become more numerous, following on from the exclusion of state-backed attacks.
Cyber insurance policies will become harder to obtain and harder to use
2
New ransomware-as-a-service (RaaS) schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes. Those dominant RaaS schemes will increase their capacity to support more affiliates. Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.
Ransomware-as-a-service will Continue to Thrive
4
Business email compromise (BEC) attacks will continue to generate vast revenue streams for criminals and remain underreported. BEC will increasingly become a focus area for law enforcement and policymakers. Organizations that cannot detect and respond to unauthorized user activity in the “noise” of cloud environments will be soft targets for BEC groups.
Business email compromise grabs fewer headlines but constitutes a growing threat
crypto
State-sponsored Activity
tooling
security testing and training
Cyber Insurance
insider threat
Business Email Compromise
Extortion
Ransomware-as-a-Service
CyberCrime
3
Extortion-only attacks will increase in number. Relatively unsophisticated in nature, they will nonetheless highlight organizations’ security control gaps. However, in the long-term, ransomware attacks will continue to provide cybercriminals with a better return on investment.
Extortion-only attacks will increase
Iran
China
Russia
Security Training
Security Testing
Ukraine will continue to be a target regardless of the outcome of the military conflict. Meanwhile, long term intelligence priorities will continue to be a focus for other Russian groups. New revelations will emerge of large-scale covert foreign intelligence gathering by Russian threat groups, likely using novel techniques involving the compromise of cloud environments and identity management systems.
Even if the conflict in Ukraine is fully resolved, Russian threat groups linked to the GRU and FSB will continue to direct their resources against Ukraine and Russia’s near abroad for intelligence gathering, disruptive attacks, and disinformation campaigns. The growing focus on global energy security will see an increased focus, both from Russian threat groups and Western governments, on the security of related critical infrastructure.
secondary
China’s focus will be on upgrades to its manufacturing base, food stability, housing, and energy supply and natural resources. Organizations operating in or supplying any of those areas, particularly high-tech industries, are potential targets of Chinese cyberespionage. As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.
back
China’s intelligence collection activities will remain driven by its economic and political imperatives. China has high priority targets to meet in terms of economic and social development, made more pressing by continuing COVID outbreaks and a zero-tolerance stance on COVID. Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.
load more
A natural extension of this approach will see increased levels of Iranian cybercriminal activity outside of the Middle East, with other groups building on the opportunistic ransomware model used by the IRGC-affiliated COBALT MIRAGE threat group. Iran will exploit this financially-motivated activity as a plausible cover for state espionage or disruption operations which can be dismissed as part of a the “cybercrime problem.”
Iran will exploit the blurring of state-sponsored activity with cybercrime against regional adversaries and more broadly. Iran will continue to make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel.
*Predictions are based on the opinions of Secureworks experts.
China’s intelligence collection activities will remain driven by its economic and political imperatives. China has high priority targets to meet in terms of economic and social development, made more pressing by continuing COVID outbreaks and a zero-tolerance stance on COVID. Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas. China’s focus will be on upgrades to its manufacturing base, food stability, housing, and energy supply and natural resources. Organizations operating in or supplying any of those areas, particularly high-tech industries, are potential targets of Chinese cyberespionage. As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.
Iran will exploit the blurring of state-sponsored activity with cybercrime against regional adversaries and more broadly. Iran will continue to make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. A natural extension of this approach will see increased levels of Iranian cybercriminal activity outside of the Middle East, with other groups building on the opportunistic ransomware model used by the IRGC-affiliated COBALT MIRAGE threat group. Iran will exploit this financially-motivated activity as a plausible cover for state espionage or disruption operations which can be dismissed as part of a the “cybercrime problem.”
Ukraine will continue to be a target regardless of the outcome of the military conflict. Meanwhile, long term intelligence priorities will continue to be a focus for other Russian groups. New revelations will emerge of large-scale covert foreign intelligence gathering by Russian threat groups, likely using novel techniques involving the compromise of cloud environments and identity management systems. Even if the conflict in Ukraine is fully resolved, Russian threat groups linked to the GRU and FSB will continue to direct their resources against Ukraine and Russia’s near abroad for intelligence gathering, disruptive attacks, and disinformation campaigns. The growing focus on global energy security will see an increased focus, both from Russian threat groups and Western governments, on the security of related critical infrastructure.
Cross platform compatibility will be important for malware developers, leading to an increase in malware written in Rust and Go. Threat actors will continue a gradual shift towards leveraging emerging post-exploitation frameworks like Sliver and Brute Ratel, in preference to Cobalt Strike, to reduce their chances of being detected.
As regulation mandate offensive security testing across more and more industries, offensive testing services will continue to evolve to provide technical data on vulnerabilities, emulate real-world adversary techniques, and assess defenders’ abilities to detect and respond.
14
Extortion-only attacks will increase, with a small number of established RaaS schemes dominating the landscape. Despite a proliferation of ransomware groups, a small number of established RaaS schemes will dominate the landscape. Relatively unsophisticated but nevertheless successful extortion-only attacks will continue to highlight organizations’ security control gaps. However, in the long-term ransomware attacks will continue to provide cybercriminals with a better return on investment.
Secureworks Counter Threat Unit™ analyzed a combination of more than 1,400 incident response engagements, trillions of event logs from customer telemetry, and monitored the activities of over 300 threat groups to bring you the “2022 State of the Threat” report.
download the 2022 state of the threat report
